CVE-2023-51704 — Cross-site Scripting in Mediawiki

CWE-79 — Cross-site Scripting CWE-80 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.4%

top 39.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mediawiki Debian Mediawiki

Timeline

PublishedDec 22

Description

An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. In includes/logging/RightsLogFormatter.php, group-*-member messages can result in XSS on Special:log/rights.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/mediawiki< mediawiki 1:1.39.7-1~deb12u1 (bookworm)

▶NVDmediawiki/mediawiki1.36.0 — 1.39.6+2

▶Debianmediawiki/mediawiki< 1:1.35.13-1+deb11u3+3

Patches

Patch: phabricator.wikimedia.org ↗Patch: phabricator.wikimedia.org ↗

🔴Vulnerability Details

OSV

CVE-2023-51704: An issue was discovered in MediaWiki before 1↗2023-12-22

▶

GHSA

GHSA-pmh9-hwq5-vvpj: An issue was discovered in MediaWiki before 1↗2023-12-22

▶

📋Vendor Advisories

Red Hat

mediawiki: group-.*-member messages are not properly escaped on Special:log/rights↗2023-12-22

▶

Debian

CVE-2023-51704: mediawiki - An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x befor...↗2023

▶